All personal files are encrypted with .aimmkvi from virus attack
Hi,
I am writing to seek some advice on an issue which brought to me by one of my clients.
The problem which my client is facing at the moment is that their computer has been infected with bit locker or ransome virus. All their personal data are encrypted. This includes their personal photos, documents, important files which consist of their personal loan documents, and much more.
Upon receiving the computer (after the client had called me to have a look) – the husband already and probably had removed the bit-locker .exe by running a paid-spyhunter programme onto the system.
I got to the client’s house a few days later and ran a few utilities such as Malwarebytes and other tools to scan the system. I also re-ran the spyhunter (the one he had purchased) but found no viruses nor infections as he had already done it then. I have also restored the computer to the previous dates or back to the only-date stored on the system but it still does not bring back their previous files – the files are still encrypted. I even right click on the encrypted file to choose previous versions but there aren’t any previous versions available via each infected file.
This is something I’ve never come across before. However when I did some research online, there are so many informations which doesn't even show me how to decrypt back the original files. So i take - this kind of problems can not be fixed.
The clients computer is with me now, waiting to be fixed. Also the clients advised me prior to how the problem started; the son (8 years) downloaded a game online (he normally does and he had downloaded games before with no problem) and installed and found that the pc is infected after the installation (by bit-locker). The father advises that there are no backups in place. They are really desperate to get all their files back (decrypted).
All their files are infected with the ramsome and all files ends with prefixed .aimmkvi
I thought I write to you if you can look into how to fix these kinds of problems but moreover, providing solutions on how to decrypt the files back to its normal conditions.
Thanks and I look forward for a favorable response.
I am writing to seek some advice on an issue which brought to me by one of my clients.
The problem which my client is facing at the moment is that their computer has been infected with bit locker or ransome virus. All their personal data are encrypted. This includes their personal photos, documents, important files which consist of their personal loan documents, and much more.
Upon receiving the computer (after the client had called me to have a look) – the husband already and probably had removed the bit-locker .exe by running a paid-spyhunter programme onto the system.
I got to the client’s house a few days later and ran a few utilities such as Malwarebytes and other tools to scan the system. I also re-ran the spyhunter (the one he had purchased) but found no viruses nor infections as he had already done it then. I have also restored the computer to the previous dates or back to the only-date stored on the system but it still does not bring back their previous files – the files are still encrypted. I even right click on the encrypted file to choose previous versions but there aren’t any previous versions available via each infected file.
This is something I’ve never come across before. However when I did some research online, there are so many informations which doesn't even show me how to decrypt back the original files. So i take - this kind of problems can not be fixed.
The clients computer is with me now, waiting to be fixed. Also the clients advised me prior to how the problem started; the son (8 years) downloaded a game online (he normally does and he had downloaded games before with no problem) and installed and found that the pc is infected after the installation (by bit-locker). The father advises that there are no backups in place. They are really desperate to get all their files back (decrypted).
All their files are infected with the ramsome and all files ends with prefixed .aimmkvi
I thought I write to you if you can look into how to fix these kinds of problems but moreover, providing solutions on how to decrypt the files back to its normal conditions.
Thanks and I look forward for a favorable response.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Paying a random is not a solution. It is a gamble and not a recommended option because not only are you contributing to their cause, and who knows what they use the money for, but there is also no guarantee that they will send a decryption key, or that it can even be done since they system has already been 'cleaned'
ASKER
@ Eirman - that post URL is me too.
The problem still did not fix after i consult with the owner of the PC that he did not have backup in place.
So what is the solutions here:
Some say dont pay the ransome as you will not get the key back.
Some say pay and you'll get the key back.
I guess then there is no way to get the files back right?
The problem still did not fix after i consult with the owner of the PC that he did not have backup in place.
So what is the solutions here:
Some say dont pay the ransome as you will not get the key back.
Some say pay and you'll get the key back.
I guess then there is no way to get the files back right?
I wouldn't recommend paying it either, but it's the only potential way to decrypt the files.
Like i said, this is just a lesson learned the hard way. I bet your client has a backup after this.
Like i said, this is just a lesson learned the hard way. I bet your client has a backup after this.
I will say it again, no reliable way. Paying a ransom is no guarantee especially since the system is 'cleaned'
DON'T pay! It is too late anyway. The user has deleted the necessary files from the system in order for the decryption key to work. Is the data even worth the price? Check preev.com for a bitcoin converter. Once it has been "cleaned" as stated above, it is very unlikely that this will work at all.
ASKER
@Thomas, the Data is very very very and very WORTH THE PRICE!
There are wedding photos, personal loan documents, land lease and the top list goes on.
So i take - there is no solutions here then?
I wonder if i recover the PC-HDD. Will it bring back all the original files?
This is just my suggestions.
There are wedding photos, personal loan documents, land lease and the top list goes on.
So i take - there is no solutions here then?
I wonder if i recover the PC-HDD. Will it bring back all the original files?
This is just my suggestions.
As far as I know, if this is indeed an encryption infection, the user had to initiate it and there is no way other than restoring from backup or shadow copy to retrieve the files. Does the user have any form of versioning backup (even dropbox would eventually get the files back that were stored there although it is certainly not the best solution)? Check out my articles on backup and pay special attention to the cloud backup options with versioning:
https://www.experts-exchange.com/Software/Backup_Restore/A_16059-Backing-up-more-than-a-necessity.html
https://www.experts-exchange.com/Software/Backup_Restore/A_17402-Cloud-Backup-Why-I-changed-providers.html
If you read those articles you will see I am a firm believer in having up to date backups. I have CrashPlan (family version) on my home computers and have it set to backup new files and changes every 15 minutes.
DISCLAIMER: I am NOT in any way affiliated with products mentioned in this post or in my articles. I am just a satisfied user.
https://www.experts-exchange.com/Software/Backup_Restore/A_16059-Backing-up-more-than-a-necessity.html
https://www.experts-exchange.com/Software/Backup_Restore/A_17402-Cloud-Backup-Why-I-changed-providers.html
If you read those articles you will see I am a firm believer in having up to date backups. I have CrashPlan (family version) on my home computers and have it set to backup new files and changes every 15 minutes.
DISCLAIMER: I am NOT in any way affiliated with products mentioned in this post or in my articles. I am just a satisfied user.
I wonder if i recover the PC-HDD. Will it bring back all the original files?Presuming you are talking about the recovery partition .....
This recovery option will give you a clean system with NO data or software.
You will need to do this at some point anyway.
The paying of ransom is an ethical issue. If no one ever paid, it would disappear.
I'm including kidnapping in this comment.
Parents often contravene the law by secretly paying ransom to kidnappers.
If it's your kid (or data in your case) it's difficult to be logical ..... and take the never pay attitude.
You could communicate with the hackers,
then for a very small fee they could demonstrate their ability to decrypt one file, and work from there.
Make sure you can indeed decrypt the data if you are going to go that route. My impression from the initial read of your post was that the computer had already been cleaned, in which case the necessary data to unencrypt the files, even if you pay the ransom, may have been deleted.
ASKER
This problem is very difficult to deal with, since there are no back-ups implemented. This is a lessons learned for most of us particularly those non-literate-computer-user
Thanks Thomas - i have taken those URL for backup purposes. Note taken.
This is probably and the last lessons-learned this family will ever go through again as they now considering a fully-back-up system in place once their computer is back to them.
And i totally agree, who knows what the heck these hackers are doing once you approach them for paying the decryption-key. They might even trick you more. I will never even go that route.
I would be very happy to give a door open for remote control to further investigate the problem.
If i can't fix it and you can't either then the world is a MYSTERIOUS
Thanks Thomas - i have taken those URL for backup purposes. Note taken.
This is probably and the last lessons-learned this family will ever go through again as they now considering a fully-back-up system in place once their computer is back to them.
And i totally agree, who knows what the heck these hackers are doing once you approach them for paying the decryption-key. They might even trick you more. I will never even go that route.
I would be very happy to give a door open for remote control to further investigate the problem.
If i can't fix it and you can't either then the world is a MYSTERIOUS
I'm very sorry to see another family going though this situation. I wish I could be of more help.
One possible option is to bring the drive to a data forensics/extraction company to see if they can retrieve any files in any way but if you were to go that route I would keep power off on the computer and bring it asap to prevent additional overwrite of any data.
As an additional note, for anyone reading this also note that:
1. Versioned backups are critical. If a backup is fine one time, computer gets infected and overwrites the file on the next backup, you're still screwed because now the backup file has been overwritten with invalid data.
2. Make sure the backup drive is not permanently connected to the computer. When the infection occurs, the malware will scan all connected drives for files to encrypt, including the USB backup drive people leave plugged in or mapped NAS network drives people leave on the network. I know having these devices connected helps automate the process but it also has risk.
One possible option is to bring the drive to a data forensics/extraction company to see if they can retrieve any files in any way but if you were to go that route I would keep power off on the computer and bring it asap to prevent additional overwrite of any data.
As an additional note, for anyone reading this also note that:
1. Versioned backups are critical. If a backup is fine one time, computer gets infected and overwrites the file on the next backup, you're still screwed because now the backup file has been overwritten with invalid data.
2. Make sure the backup drive is not permanently connected to the computer. When the infection occurs, the malware will scan all connected drives for files to encrypt, including the USB backup drive people leave plugged in or mapped NAS network drives people leave on the network. I know having these devices connected helps automate the process but it also has risk.
One possible option is to bring the drive to a data forensics/extraction company to see if they can retrieve any filesThat's highly unlikely to work on files that aren't lost .... just encrypted.
It's expensive too.
ASKER
I agree Eirman.
The point here and only solutions that we can get out of this trouble is to accept the lessons-learned.
The family who owns this, wont even go that route as the service would be more expensive.
I take that this issue won't be resolved as there are none of the suggestions are able to tackle this problem.
Prior to this or posting the issue. I have also already advised and informed the owner that he must put a Backup in place for future. One that such no connections to the PC itself.
I will return the PC now to the owner and explain that he needs to accept this as there are no ways to decrypt back his data.
The point here and only solutions that we can get out of this trouble is to accept the lessons-learned.
The family who owns this, wont even go that route as the service would be more expensive.
I take that this issue won't be resolved as there are none of the suggestions are able to tackle this problem.
Prior to this or posting the issue. I have also already advised and informed the owner that he must put a Backup in place for future. One that such no connections to the PC itself.
I will return the PC now to the owner and explain that he needs to accept this as there are no ways to decrypt back his data.
I absolutely agree the likelihood of finding anything is slim but if they are willing to pay money, I would think this is their only option in the hope of getting ANY data.
If the specific infection is cryptolocker you may want to review this:
https://www.decryptcryptol
https://www.fireeye.com/bl
https://www.decryptcryptol
https://www.fireeye.com/bl
ASKER
Thanks, they have already told me too that they cant afford the service hence why i posted and asked the community here.
Also, i have done a research and have contacted the fireeye.com as well as fox-it but confirmed that they cannot help or troubleshoot this issue (decrypt the files) as its not a cryptolocker but rather a bit-locker.
I tried and upload the encrypted file via the portal..........decryptolo
Its ok, at least anyone who is reading is aware that situations such as this is very difficult to dealt with.
Also, i have done a research and have contacted the fireeye.com as well as fox-it but confirmed that they cannot help or troubleshoot this issue (decrypt the files) as its not a cryptolocker but rather a bit-locker.
I tried and upload the encrypted file via the portal..........decryptolo
Its ok, at least anyone who is reading is aware that situations such as this is very difficult to dealt with.
ASKER
this is because nobody can solve this problem. that is basically it.
This is a lesson learned the hard way, to have a backup. Now-a-days drives are so big, in other words you can have so much stuff on a drive that there should always be a backup. Especially if the data is important.